Wednesday, 28 June 2017

Ransomware can be used to make money, no hear me out. Ransomware as a vector to make money... no it is not what you think.
So the latest ransomware(s) are doing the rounds after the horror that was Wannacry, we now have Petya (sorry this went active months ago),NotPetya and GoldenEye all
go active overnight. Petya has been around a while but the new ones
uses the same vulnerability WannaCry did (EternalBlue), plus they now
steal local credentials and re-use them to infect PC's across the
network and world that use the same credentials, regardless of their
patch level. These viruses have been seen on everything from Point of sale systems in the Ukraine to chocolate factories (seriously chocolate, do beer next and watch Australians find you, and tear you limb from limb).

Anyway,
so ransomware often holds your files at ransom by encrypting them with a
key only the attackers know. They ransom your files asking for payment
in the somewhat untraceable Crypt-currency called bitcoin (BTC). Bitcoin
can be traded in online markets for real money. Only issue is, they
never get much. You can actually tell by looking at the digital wallets
connected to the ransomware (amount as of 28/07);

So
why do they do this, they don't actually make an amount equal to the
development time or disruption they cause. I've thought about this a lot. Surely there are better
ways to make money. One virus (Adylkuzz)
was recently found that also used the same vulnerability WannaCry did.
However Adylkuzz sat silently on the PC it infected slowly infecting
others... and mining a different Crypt-currency called Monero. Now that
is a much smarter long term money maker.
Proofpoint have a good breakdown of Adylkuzz here and
as of the 15th of May, likely only a few weeks into their virus mining crypt-currency, they had around US$50,000. This is important as the mining crypt-currency takes time. Sorry I can't link directly to the
wallets, as Monero doesn't work like Bitcoin in this regard. They seem to
be using lots of Monero wallets too, so they are likely making a lot
more.

This mining by malware I thought was an interesting method, though it isn't making them millionaires it is still a slow steady source of money.

The
Bitcoin wallets used for the ransomware don't seem to make much, not
for the effort put in to code and distribute their malware. No the bad
guys are performing, I think, a writ-large pump and dump scheme.
Bitcoin
has gone from around US$500 a year ago to US$2500 as of writing this.
It is slated to get to US$5000 by end of year. In fact if you look at
the spikes they have almost always coincided with ransomware releases,
some spikes have gone before the malware hit, perhaps indicating a
buying frenzy of knowledgeable parties.

Combine this with some companies speculatively buying bitcoin in case they get ransomware (as reported on the risky business
podcast), and other people buying simply due to the value increasing
and you have yourself a criminal led massive pump and dump scam.
The
criminals probably bought and mined bitcoin years ago, and are sitting
on it. They then pump the demand and thus the price up by doing these
virus releases, selling them as ransomware as a service to unsuspecting
clients... then the price rises and rises... then they sell out all
their bitcoin. The market crashes... but they have millions. Better yet
their bitcoin wallets are not in anyway related to the ransomware
transactions so it becomes difficult to catch them, apart from the usual
untraceable nature of bitcoin transactions.

So there
you have it, don't play into their game... maybe, or if you do jump out
before the bad guys dump out and kill the market, good luck with that.

Oh
and protect yourself from this an all other ransomware by doing backups,
not opening files from people you don't know, removing admin rights,
making the admin password unique per machine, and maybe even rolling app
white-listing into your environment.